Linux provides several tools for controlling access to the network services. TCP Wrappers is one among those and adds an additional layer of protection. In the following steps, we will see how to configure TCP Wrappers to define the access for the different hosts:

1. First, we need to check whether a program supports TCP Wrappers or not. To do so, first, find the path of the program executable by using the which command:

    which sshd 

Here, we have used the SSH program as example.

2. Next, we use the ldd program to check the compatibility of the SSH program with TCP Wrappers:

    ldd /usr/sbin/sshd  

If the output of the preceding command includes libwrap.so, it means that the program is supported by TCP Wrappers.

3. Now, whenever the SSH program tries to connect to the server using TCP Wrappers, two files are checked in the following order:

• • /etc/hosts.allow: If a matching rule is found in this file for the program, access will be given
  • /etc/hosts.deny: If a matching rule is found in this file for the program, access will be denied

4. If no matching rule is found in either of the two files for the specific program, access will be given.

5. If we try to connect to the SSH server, before adding any rule, we will see that it connects successfully:

6. Now, let's suppose we want to deny access to the SSH program for a particular system that has the given IP address. To do so, we will edit the /etc/hosts.deny file, as follows:

7. Now, if we try to connect to the SSH server from this particular system for which we have denied access, it shows the following error:

8. If we want to allow access for all the programs and all the clients, either add no rules in either of the two files or add the following line in the /etc/hosts.allow file:

9. If we want to allow access to all the services from a particular client that has the IP address 192.168.1.106, then we add the following line in the /etc/hosts.allow file:

10. If we want to allow all the clients on a particular network to access SSH, except for a particular client that has the IP address 192.168.1.100, we perform the following changes in the /etc/hosts.allow file:

11. After making the aforementioned changes, when we try to connect through SSH, we will see the following error:

We can see that once the IP address is changed for the client, SSH access is now allowed, which means that all the clients on the particular network can access SSH, except for the IP address, which has been denied.

12. The preceding steps block the services for which we define the rule in the /etc/hosts.allow file. However, on the server end, we don't get to find out which client has tried to access the server and when. So, if we want to maintain a log of all connection attempts by the client, we can edit the /etc/hosts.allow file, as follows:

In the preceding line, the spawn keyword defines that whenever a connection request is made by the client, it will echo the details, as specified by the %h option, and save it in the log file, conn.log.

13. Now, when we read the contents of the conn.log file, we see its details, as shown here:

The file contains a log of when the client has tried to connect and from which IP address. More details can be captured by using different arguments of the spawn command.